Bug 1128607 - Test the freshness check for OneCRL (r=keeler)
authorMark Goodwin <mgoodwin@mozilla.com>
Thu, 07 May 2015 18:54:07 +0100
changeset 274225 b40e0753d6d3b83555f6d11cd4d36f5998aa1dfa
parent 274224 a4e5010cb3d1ef01aecd5e7aee74b42670be5bc7
child 274226 b34c538f36804b7030a32404e67c859d52340a9d
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1128607
milestone40.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1128607 - Test the freshness check for OneCRL (r=keeler)
security/manager/ssl/tests/unit/test_ev_certs.js
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -149,16 +149,57 @@ function run_test() {
   add_test(function () {
     check_no_ocsp_requests("non-ev-root", SEC_ERROR_POLICY_VALIDATION_FAILED);
   });
 
   add_test(function () {
     check_no_ocsp_requests("no-ocsp-url-cert", SEC_ERROR_POLICY_VALIDATION_FAILED);
   });
 
+  // Check OneCRL OCSP request skipping works correctly
+  add_test(function () {
+    // enable OneCRL OCSP skipping - allow staleness of up to 1 day
+    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 86400);
+    // set the blocklist-background-update-timer value to the recent past
+    Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
+                              Math.floor(Date.now() / 1000) - 1);
+    clearOCSPCache();
+    // the intermediate should not have an associated OCSP request
+    let ocspResponder = start_ocsp_responder(["ev-valid"]);
+    check_ee_for_ev("ev-valid", gEVExpected);
+    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
+    ocspResponder.stop(run_next_test);
+  });
+
+  add_test(function () {
+    // disable OneCRL OCSP Skipping (no staleness allowed)
+    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 0);
+    clearOCSPCache();
+    let ocspResponder = start_ocsp_responder(
+                          gEVExpected ? ["int-ev-valid", "ev-valid"]
+                                      : ["ev-valid"]);
+    check_ee_for_ev("ev-valid", gEVExpected);
+    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
+    ocspResponder.stop(run_next_test);
+  });
+
+  add_test(function () {
+    // enable OneCRL OCSP skipping - allow staleness of up to 1 day
+    Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds", 86400);
+    // set the blocklist-background-update-timer value to the more distant past
+    Services.prefs.setIntPref("app.update.lastUpdateTime.blocklist-background-update-timer",
+                              Math.floor(Date.now() / 1000) - 86480);
+    clearOCSPCache();
+    let ocspResponder = start_ocsp_responder(
+                          gEVExpected ? ["int-ev-valid", "ev-valid"]
+                                      : ["ev-valid"]);
+    check_ee_for_ev("ev-valid", gEVExpected);
+    Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
+    ocspResponder.stop(run_next_test);
+  });
 
   // Test the EV continues to work with flags after successful EV verification
   add_test(function () {
     clearOCSPCache();
     let ocspResponder = start_ocsp_responder(
                           gEVExpected ? ["int-ev-valid", "ev-valid"]
                                       : ["ev-valid"]);
     check_ee_for_ev("ev-valid", gEVExpected);